Policy

Paying the Price

The UK Government Plans to Make Companies Pay for Failing to Meet Cybersecurity Requirements

To prevent cyberattacks happening on its shores, the UK government has announced that organisations could face fines of up to £17m if they fail to adequately assess risks and prevent attacks. Daniel Davies looks at whether networks can be secured by threatening companies’ bottom lines

At the end of October, the US government quietly told members of the nuclear, energy, aviation, water and critical manufacturing industries that their networks may have been targeted by hackers, and their data may have been compromised. The message was delivered via a privately distributed email, which in virtual, hushed tones talked about an escalation in the targeting of infrastructure in both Europe and the United States.

If on this occasion the US’ cloak-and-dagger approach to cybersecurity can be described as the carrot, then what the UK government wants to do, in response to similar threats, is definitely the stick.

The UK is currently in the process of implementing the European Union’s Networks and Information Systems (NIS) Directive. Under the directive, UK organisations could face fines of up to £17m, or 4% of global turnover, if they fail to take measures to prevent cyber attacks that have the potential to seriously disrupt critical services.

While the government acting to prevent significant damage to the UK's infrastructure, economy and populace has been welcomed by commentators, some have suggested the approach is too heavy-handed. But whether you support the severity of the approach or not, the bigger question may be: if organisations responsible for critical infrastructure aren’t already doing all they can to maintain cybersecurity measures, will the threat of a fine make a difference at all?

Are critical infrastructure organisations doing all they can?

The UK government has stressed that fines will only be issued as a last resort and will not be applied if organisations can prove that they have assessed risks adequately. But are the firms in control of services that directly influence daily life already doing all they can to protect against cyber attacks? Tim Erlin, vice president of product management and strategy at the cybersecurity firm Tripwire, doesn’t think so.

“The evidence in terms of cybersecurity incidents shows that most critical infrastructure organisations aren’t doing everything they can to protect themselves from attack,” says Erlin.

“Regulations and the corresponding fines are not designed for top performers in cybersecurity best practices. They’re designed to raise the bar for the industry as a whole by providing financial motivation to take specific actions. Regulations seek to establish basic best practices as common practice.”

“Regulations and the corresponding fines are not designed for top performers in cybersecurity best practices. They’re designed to raise the bar for the industry as a whole.”

Although the climate – not to mention the fact that the government feels it needs to intervene – would suggest that not enough is being done to secure the networks of critical infrastructure organisations, that isn’t necessarily the view from inside.

Speaking to Verdict Encrypt via email, a spokesperson for National Grid said: “Given our vital role in connecting people to their energy supplies, we take our responsibility very seriously. The IT systems we use to operate our gas and electricity networks are isolated from our everyday business systems to ensure our networks remain safe and reliable. National Grid has processes in place that are aligned with industry best practice and assessed by government and regulatory agencies.”

The advantages and disadvantages of fines

If, however, as Erlin suggests, critical infrastructure firms’ cybersecurity isn’t up to scratch then fines may encourage them to put adequate solutions in place and seek assistance if they need it. Erlin also says that the threat of a fine may make it easy to obtain budgets to counter the threat.

“The threat of a fine can be a powerful tool for obtaining needed budget for cybersecurity in organisations where it hasn’t traditionally been a priority, which is exactly where change is most needed. Fines provide a more concrete incentive over the often vague, imagined impacts of a cybersecurity incident,” says Erlin.

“Higher fines are going to make people find ways to not have to report that they had a breach.”

On the other hand, the threat of a fine may make it harder to secure networks, as organisations become increasingly reticent to share details about breaches for which they could be fined. Information sharing is pivotal to improving security, so could the threat of a fine actually be counterproductive? This is certainly an opinion endorsed by Steve Manzuik, director of Security Research at Duo Security’s Duo Labs, in an interview with Computer Business Review.

“Higher fines are going to make people find ways to not have to report that they had a breach,” said Manzuik. “If I know that my company will be fined because I didn’t do the basic security hygiene stuff, I’m going to be less willing to share how I got breached.”

Has the government already delivered its carrot?

In October, the government launched the National Cyber Security Centre. One of its many tasks is to work with UK industry, government departments, critical national infrastructure as well as private SMEs to offer trusted and independent advice, so having put this resource in place, the government may feel that it is justified in also having the threat of fines for companies who choose not to utilise it.

“The government is restricted in what levers it can pull to effect change in private industry.”

The introduction of fines may be a necessary counterpoint to the information and help the government has already put in place. “The government is restricted in what levers it can pull to effect change in private industry. Fines and incentives are par for the course, and can be very effective when used judiciously,” says Erlin.

Everyone has their part to play in securing the UK’s critical infrastructure organisations from cyber attacks. Given that the CEO of the NCSC, Ciaran Martin, has admitted that “many organisations need to do more to increase their cyber security,” it’s right that the government now has a stick in place, with the implementation of the NIS directive, with which to remind critical infrastructure organisations of the important role they have in maintaining the UK’s security.

PR nightmares: Ten of the worst corporate data breaches

​​​​​​​​​​​​​​LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang